Software Integrity

How distributed weakness filing system might assist MITRE’s CVEs

Complaints about the current Common Vulnerability Enumeration (CVE) from the MITRE organization have advanced a new community-powered Distributed Weakness Filing system (DWF).

MITRE-controlled CVEs, used to assign specific numbers to each new disclosed vulnerability, have been used in the infosec community for the last few years but concerns around backlogs spilled over at last week’s AusCERT conference, with at least one presenter mocking the current practice. At issue is the fact that MITRE has fallen behind in issuing the CVE. Also, even when a CVE has been assigned, the details are often slow in coming.

Kurt Seifried, security researcher at Red Hat, thinks he has the answer in DWF. For one thing, DWF adds a more global perspective to CVE, which currently only covers mostly English, North American software It doesn’t, for example, have good coverage of software originating in Japan, India, China, Russia and other countries. Also the current CVE doesn’t cover the medical industry, aerospace, cars and even the internet of things well.

“The DWF is also about experimenting with CVE; an example is that we have specified a data format for information related to the CVEs, such as severity information, workarounds and so on, that does not currently exist in the MITRE CVE database,” Seifried told eWEEK. “Part of the DWF plan is to make the data not only available to read, but also to write, assuming the data coming back is of sufficient quality, for anyone.”

Part of the problem with CVEs is a change in how MITRE runs the organization. This has resulted a severe backlog. A new plan has been proposed to deal with the scale issues the system is currently experiencing.

“The long-term plan for CVE [and DWF] as it stands now is to move to a ‘federation’ model, with MITRE remaining as the master of CVE and then a number of entities covering various spaces,” Seifried explained to eWEEK. “DWF, for example, would focus on open source and, potentially, we could end up with country-/language-specific CVE entities, or industry verticals to cover specific technology use cases, like the software that governs self-driving cars.” DWF is available on github.

Seifried said in the interview that MITRE is currently in Stage 1, where they are not consuming DWF data; they are just marking CVEs as “RESERVED” once the DWF has assigned them. “During Stage 2, MITRE will actually consume the DWF data [descriptions, etc.]; however, prior to Stage 2, MITRE wants to get the licensing and some other legalities all squared away, something that is being worked on with their lawyers and Red Hat’s legal team,” Seifried said.